nadgowdas
commented
3 years ago There are growing number of options in the overall SBOM management, including:
1. When to generate SBOM : It could be pre-build or post-build. In pre-build SBOM is generated in DevSecOps pipeline before building an image. And it is done by scanning source artifacts like Dockerfile, requirements.txt etc. In the post-build, SBOM is generated after image is built, by scanning an image.
2. SBOM tool: Again, n number of open-source tools are available providing SBOM generation in various capacities
3. SBOM format: Currently, there are atleast 3 format options, viz. SPDX, CycloneDX, SWID. At the moment, there is no lossless conversion possible across them, which tells us that they differ significantly in the specs.
4. SBOM persistence: There's solid solution available with cosign to attach SBOM to an image and store it in OCI registry.
In the scope of this work, I would suggest following:
- We generate SBOM both
pre-buildandpost-buildstages. We use one of the existing open-source tool or commercial tool to do that. - Instead of siding with one of the format, use simple
JSONformat to document SBOM. Ensure we can do lossless conversion from it to one of the "standard" format. - Use
cosignto sign and attach SBOM to an image and persist in the same OCI registry as image
lukehinds
We need to figure out an initial lean SBOM format and establish if that can be ingested and meaningfully processed by actor in the chain